使用服务关联角色绑定函数授予函数访问其他云服务的权限

可信云服务可以通过RAM角色扮演的方式访问其他云服务的资源。可信实体为阿里云服务的RAM角色，包括普通服务角色和服务关联角色。在某些场景下，函数计算为了完成自身的某个功能，需要获取其他云服务的访问权限，因此，函数计算创建了与云服务关联的角色，即服务关联角色AliyunServiceRoleForFC。函数计算3.0支持AliyunServiceRoleForFC和FaaS函数的绑定，实现最小授权范围内授予函数访问其他云服务的权限。

注意事项

首次登录函数计算控制台用户，需授权自动创建目标服务的服务关联角色，才能在函数计算中完成相应的功能。
服务关联角色删除后，事件总线EventBridge将无法发布事件到对应的阿里云服务，请谨慎操作。如需再次使用相关功能，则需重新创建该角色。具体操作，请参见创建服务关联角色。

AliyunServiceRoleForFC

服务关联角色AliyunServiceRoleForFC可以获取访问专有网络 VPC、云服务器 ECS、日志服务 SLS（Simple Log Service）和容器镜像服务等云资源的权限，以实现函数VPC互通、镜像下载、资源回收和日志导出等功能。

服务关联角色AliyunServiceRoleForFC被授予权限策略AliyunServiceRolePolicyForFC，该权限策略的内容如下。

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vpc:DescribeVSwitchAttributes",
                "vpc:DescribeVpcAttribute"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:CreateNetworkInterface",
                "ecs:DeleteNetworkInterface",
                "ecs:DescribeNetworkInterfaces",
                "ecs:CreateNetworkInterfacePermission",
                "ecs:DeleteNetworkInterfacePermission",
                "ecs:DescribeNetworkInterfacePermissions"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cr:PullRepository",
                "cr:GetArtifactTag",
                "cr:GetAuthorizationToken",
                "cr:GetRepository",
                "cr:GetRepositoryTag",
                "cr:GetRepoTagManifest",
                "cr:GetRepositoryManifest",
                "cr:GetInstanceVpcEndpoint",
                "cr:GetInstance",
                "cr:GetNamespace",
                "cr:GetArtifactBuildRule",
                "cr:CreateArtifactBuildTask"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "fc:InvokeFunction",
                "eventbridge:PutEvents",
                "mq:PUB",
                "mq:OnsInstanceBaseInfo",
                "mns:SendMessage",
                "mns:PublishMessage",
                "fnf:ReportTaskSucceeded",
                "fnf:ReportTaskFailed"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:CreateProject",
                "log:CreateLogStore",
                "log:GetProject",
                "log:GetLogStore",
                "log:DeleteProject",
                "log:DeleteLogStore",
                "log:GetLogStoreLogs"
            ],
            "Resource": [
                "acs:log:*:*:project/aliyun-fc-*",
                "acs:log:*:*:project/*/logstore/function-log*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:PostLogStoreLogs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:GetRole"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Effect": "Allow",
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "fc.aliyuncs.com"
                }
            }
        }
    ]
}